45
Best Practices for Avoiding & Mitigating HIPAA Breaches in 2016 June 8, 2016
Best Practices for Avoiding &
Mitigating HIPAA Breaches in 2016
June 8, 2016
About Me
• 19 Years IT Consulting Experience
•PMP
•University Med Center Y2K
to HIPAA
to Managing Ethical Hackers
•Managing Partner of FOQUS Partners
WHYs for Incident Response
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
• Build patient trust /
protect privacy of patients
• Improve healthy outcomes
• Fight for good
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
• Build patient trust /
protect privacy of patients
• Improve healthy outcomes
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
• Build patient trust /
protect privacy of patients
• Improve healthy outcomes
• Fight for good
20105,524,176 2011
13,149,792
20122,759,709
20136,930,414
201412,621,826
2015113,255,324
2009 2010 2011 2012 2013 2014 2015
Recap of 2015 Health Data Breach Trends
154,225,324Since 2009
#1: Individuals Affected Skyrocketing
*Data Source: US Dept of Health & Human Services Office for Civil Rights
#2: Rate of Increase for Reported Breaches Slowing
197
195203
270
289
266
100
150
200
250
300
2010 2011 2012 2013 2014 2015
# of Breaches Log. (# of Breaches)
Recap of 2015 Healthcare Data Breaches
Data Source: U.S. Department of Health & Human Services Office for Civil Rights
Recap of 2015 Health Data Breach Trends
# of Patients Affected Skyrocketing+
# of Breaches Consistent=
Average Impact of Breaches Increasing
Recap of 2015 Healthcare Data Breaches
What’s the Data Telling Us?
Recap of 2015 Health Data Breach Trends
13,595 25,668 43,674
425,772
-
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
450,000
2012 2013 2014 2015
Average # of Patients Affected Per Breach
0
1
2
3
4
5
6
7
8
2012 2013 2014 2015
Health Breaches Affecting 500k+ Individuals
Ponemon Institute reports average cost of a healthcare data breach is $363 per exposed
personally identifiable record.# of Exposed
Personally
Identifiable Records
Average Cost of
Breach
1,000 $363,000
5,000 $1,815,000
10,000 $3,630,000
50,000 $18,150,000
100,000 $36,300,000
$4
$359 in 2014
So What?
#3: Impact increasing, but organizationsadopting best practices to reduce costs
• Increase in percentage of attacks criminal in nature
Recap of 2015 Healthcare Data BreachesF
acto
rs D
rivi
ng
Co
sts
Hig
her
2014 FBI bulletin black market valuations:
Why is it so valuable?
Health
Record
Valid Credit
Card
$50 $1
Recap of 2015 Healthcare Data Breaches
Consequences of lost revenues increasing
#3: Impact increasing, but organizationsadopting best practices to reduce costs
Recap of 2015 Healthcare Data BreachesRecap of 2015 Healthcare Data Breaches
#3: Impact increasing, but organizationsadopting best practices to reduce costs
• Increase in percentage of attacks criminal in nature
• Consequences of lost business increasing
• Detection & escalation costs increasing
Recap of 2015 Healthcare Data BreachesRecap of 2015 Healthcare Data BreachesF
acto
rs D
rivi
ng
Co
sts
Hig
her
#3: Impact increasing, but organizationsadopting best practices to reduce costs
Recap of 2015 Healthcare Data Breaches
• Incident response team & plan ($12.6)• Extensive use of encryption ($12.0)• Employee training ($8.0)• Business continuity management involved ($7.1)• CISO appointed ($5.6)• Board of directors involvement ($5.5)• Insurance protection ($4.4)
Recap of 2015 Healthcare Data BreachesF
acto
rs D
rivi
ng
Co
sts
Hig
her
Recap
What Is “Reasonable”: 45 CFR 164.306(b): Assess whether each implementation specification is a
reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting ePHI; and as applicable to the covered entity or business associate –
Reasonable Measures for Incident Response
A. Implement the implementation specification if reasonable and appropriate; or
B. If implementing the implementation specification is not reasonable & appropriate
1. Document why it would not be reasonable and appropriate to implement the implementation specification; and
2. Implement an equivalent alternative measure if reasonable and appropriate.
Malicious Attack Human Error
256 Days* 158 Days**Data Source: Ponemon Institute
Average Time to Identify & Contain Breach
Large Breaches Raising The Bar
• Exposure
• Notifications• Public hearings• Investigations• Media
• Lessons learned
Trends in Reasonableness
Organization-wide Response
• Not just an “IT Issue”
• Significant financial impact
• Board of directors• Patient churn
• Employees
• Awareness• Training
Trends in Reasonableness
Human Resources
Public Relations
Legal
Board of Directors
Finance & Accounting
Information Technology
Risk & Compliance
Significant Financial Impact
• Per exposed personally identifiable record*:
• Avg cost of health data breach: $363• Avg savings by involving
Board of Directors: $5.50• Avg savings by having
CISO: $5.50• Breaches impacting
patient decisions
Trends in Reasonableness
*2015 Ponemon Institute Report
Trends in Reasonableness
Human Resources
Public Relations
Legal
Board of Directors
Finance & Accounting
Information Technology
Risk & Compliance
Organization-wide Response
• Not just an “IT Issue”
• Significant financial impact
• Board of directors• Patient churn
• Employees
• Awareness• Training
Employees As Front-Line
• Most likely source of a breach
• Culture of security & privacy
• Employees as front-line defense• Incidents as training input
Trends in Reasonableness
Have An Incident Response Plan
• Regulatory reporting complexity increasing
• Eliminate ongoing threats
• Avg $12.50 per record savings
Trends in Reasonableness
Recap of 2015 Healthcare Data Breaches
Differentiate Incidents and BreachesIncident Response Best Practices
Security Incident Security Breach
What is it? An event in violation of a security policy such as impersonation, denial of service, theft, intrusion, etc.
Incident resulting in release of protected personal or confidential data.
Regulatory Reporting Requirements
None today Local, state & federal requirements
Formats Paper, electronic device, electronicrecords, physical location
Paper or electronic records
OrganizationalTasks
InvestigationRemediationRisk Mitigation
InvestigationRemediationRisk Mitigation+Notifications+Regulatory Reporting
Incident Response Best Practices
*Image courtesy healthylawyers.com
Differentiate Incidents and Breaches
Decision Tree Tools
Definition of Breach: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf
Guide to “Securing” PHI:http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
Incident Response Best Practices
Differentiate Incident & Breach Types
Incident Response Best Practices
Incident Types Breach Types
Social engineering /
impersonation
Protected Health Information
Unauthorized physical or
electronic access
Mental Health Information
System compromise Personally Identifiable
Information
Account compromise PCI/Credit Card
Denial of service Malicious/Theft
Network/ vulnerability scanning Accidental/Loss
Physical loss/ destruction Internal
Misconfiguration External
Software vulnerability Paper
Licensing violation Electronic
Document Breach Reporting Processes
Regulations, Regulations, Everywhere!
Incident Response Best Practices
Protected Data Types
Patient Health Data
Credit Card Data
Personally Identifiable Data
Education Data
SEC Data
Regulation Types
Federal
State
Local
Contractual
Document Breach Reporting Processes
Document reporting process by regulation
Define reporting teams (Legal, Risk, IT, etc.)
Identify internal reviews & approvals
Timeline requirements
Note: state and local reporting requirements vary
Incident Response Best Practices
Document Breach Reporting Processes HIPAA Example:
Report online at: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf
> 500 individuals: “Without unreasonable delay and in no case later than 60 calendar
days from discovery of breach”
< 500 individuals: 60 days of the end of calendar year in which breach discovered Can submit all on same day, but must be on individual submissions
Incident Response Best Practices
ORC Breach Portal ReportingIncident Response Best Practices
Incident Response Best Practices
Incident Response Best Practices
Incident Response Best Practices
Incident Response Best Practices
Incident Response Best Practices
Engage Employees
Incident Response Best Practices
Train
- Awareness
- Processes
Empower
- Easy reporting
- Routed to action
Reward
- Recognition
- Incentives
A Living Plan
Schedule proactive tasks
Incident Response Best Practices
4Q
• Tabletop Exercises
• Quarterly Lessons Learned
3Q
• Staff Training
• Quarterly Lessons Learned
2Q
• Communicate Changes
• Quarterly Lessons Learned
1Q
• Review & Update
• Quarterly Lessons Learned
Q&A
